B
Ben
Hi,
Some of you may remember back in June I posted a topic entitled 'Network
Computer Games on Business Machines' which detailed the problem we were
having with some of our users installing software & games on their machines,
as they were local admins (against my recommendations). A number of people
posted replies, including PA Bear, Malke, Aaron etc with advice, and
recommendations including presenting the directors with a risk analysis.
Well I went on holiday the following week, and while there wrote up a fairly
long, detailed risk analysis, which I gave to our directors when I returned.
Surprisingly they actually accepted and agreed with the risk analysis, and
decided to back me in removing all users from the local admins group!
This was going well on most of our users workstations, with little or no
side effects. I decided to use VM workstation for our developers who needed
to install/uninstall development software, allowing them to be local admins
on their virtual system, but not the base system. Then we came to our
business analysis/modelers. They use a piece of business modelling software
that is quite flaky, and they have to keep installing/uninstalling and
applying fix packs to get it to work, all this means they need admin rights.
Also this software seems to require a minimum of 1 & 1/2GB ram to run, 2GB
to run smoothly. These business modellers all have Dell laptops, as they are
mobile consultants, which have a max 2GB ram installed. I tried setting
these guys up with VM workstation, as local admins so they could
install/uninstall, and assigning all but 256mb of the systems ram to the
image however the modeller software ran so painfully slow, that users could
type a sentence and practically make a cup of tea before it would show up on
the screen.
Personally I don't think this software is fit for purpose due to the bugs
and crashes users have experienced, and the fact it requires nearly 2GB of
ram to run smoothly isn't practical for use on laptops, so I think we should
be looking at another product. However, the software is from one of our
business partners, and this means we have to use it. So I need to find
someway of allowing users to install fix packs/re-install the software,
without giving them full local admin access. I don't think virtualisation is
going to work because of the memory problems.
One solution I guess would be to setup a generic local admin user on all
business modeller machines, and get people to use the RUNAS command when
executing the install, however I think this maybe a little complex and
confuse some of our users, and it also risks letting those that do
understand it, install other software, or get access to areas, such as
control panel>user accounts or system, when we don't want them too!
Is there any other way we can allow users to just install specific software,
without being local admins, or giving them access to a local admin account?
How do other companies deal with issues such as this, or does this seem like
a fairly unique situation?
Any advice, recommendations much appreciated!
Ben
Some of you may remember back in June I posted a topic entitled 'Network
Computer Games on Business Machines' which detailed the problem we were
having with some of our users installing software & games on their machines,
as they were local admins (against my recommendations). A number of people
posted replies, including PA Bear, Malke, Aaron etc with advice, and
recommendations including presenting the directors with a risk analysis.
Well I went on holiday the following week, and while there wrote up a fairly
long, detailed risk analysis, which I gave to our directors when I returned.
Surprisingly they actually accepted and agreed with the risk analysis, and
decided to back me in removing all users from the local admins group!
This was going well on most of our users workstations, with little or no
side effects. I decided to use VM workstation for our developers who needed
to install/uninstall development software, allowing them to be local admins
on their virtual system, but not the base system. Then we came to our
business analysis/modelers. They use a piece of business modelling software
that is quite flaky, and they have to keep installing/uninstalling and
applying fix packs to get it to work, all this means they need admin rights.
Also this software seems to require a minimum of 1 & 1/2GB ram to run, 2GB
to run smoothly. These business modellers all have Dell laptops, as they are
mobile consultants, which have a max 2GB ram installed. I tried setting
these guys up with VM workstation, as local admins so they could
install/uninstall, and assigning all but 256mb of the systems ram to the
image however the modeller software ran so painfully slow, that users could
type a sentence and practically make a cup of tea before it would show up on
the screen.
Personally I don't think this software is fit for purpose due to the bugs
and crashes users have experienced, and the fact it requires nearly 2GB of
ram to run smoothly isn't practical for use on laptops, so I think we should
be looking at another product. However, the software is from one of our
business partners, and this means we have to use it. So I need to find
someway of allowing users to install fix packs/re-install the software,
without giving them full local admin access. I don't think virtualisation is
going to work because of the memory problems.
One solution I guess would be to setup a generic local admin user on all
business modeller machines, and get people to use the RUNAS command when
executing the install, however I think this maybe a little complex and
confuse some of our users, and it also risks letting those that do
understand it, install other software, or get access to areas, such as
control panel>user accounts or system, when we don't want them too!
Is there any other way we can allow users to just install specific software,
without being local admins, or giving them access to a local admin account?
How do other companies deal with issues such as this, or does this seem like
a fairly unique situation?
Any advice, recommendations much appreciated!
Ben